If you’re looking to set up a VPN on Azure, you’ll need to know which types are supported. In this article, we’ll go over the different options so you can choose the best one for your needs.
Checkout this video:
VPN types
Azure supports different types of VPNs. The main types are point-to-site, site-to-site, and ExpressRoute. Point-to-site is good for small deployments or testing. Site-to-site is good for multi-site deployments. ExpressRoute is good for high-performance, low-latency traffic.
Policy-based VPNs
Policy-based VPNs encrypt and direct traffic through an IPsec tunnel based on the security policies defined in a dynamic access control list (ACL). Policy-based VPNs use dynamic multipoint GRE (DMVPN) tunnels. You can use this type of VPN when you have on-premises sites that have varying connection requirements. Policy-based VPNs are also known as route-based VPNs.
In a policy-based VPN, data is encrypted by using IPsec encryption and directed through a tunnel using generic routing encapsulation (GRE).
To allow for secure communications, all data passing through the tunnel is encrypted with an encryption algorithm, such as Advanced Encryption Standard (AES). The sending device attaches an AH or ESP header to the packet. This header includes information about the security association for the packet, such as an AES key.
Route-based VPNs
Route-based VPNs are also known as dynamic gateways. A route-based VPN gateway uses the Routing and Remote Access Service (RRAS) to create a virtual private network (VPN) connection. RRAS is a Microsoft VPN gateway service that allows remote users and sites to connect to a private network by using the public Internet.
Route-based VPN gateways use a routing table to direct traffic between the virtual private network (VPN) gateway and the on-premises networks or other connected resources. Route-based gateways are used when you need more control over individual traffic flows, or when you want to implement advanced traffic policies. For more information about route-based gateways, see About Route-Based VPN Gateways.
Point-to-Site VPNs
Point-to-Site (P2S) VPNs are the simplest type of VPN to set up and manage, and don’t require a VPN device. P2S connections use IPsec and IKE to secure data traffic between a VPN client and a VPN gateway. A P2S connection can use one of the following protocols:
-Secure Socket Tunneling Protocol (SSTP). SSTP uses HTTPS to pass traffic through firewalls and web proxies, making it ideal for scenarios where port 443 is open but other ports are blocked.
-OpenVPN. OpenVPN uses SSL/TLS for key exchange, making it ideal for scenarios where port 443 is blocked.
-IKEv2/IPsec. IKEv2/IPsec connections can be used in environments where all ports are blocked except UDP port 500 (used for IKE key exchanges) and UDP port 4500 (used for IPsec NAT-T).
Azure VPN Gateway
Azure supports different types of virtual private network (VPN) technologies. You can use Azure VPN gateway to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. The different types of VPNs supported by Azure are:
Azure VPN Gateway SKUs
Azure VPN Gateway connects your on-premises networks to Azure through Site-to-Site VPNs in a similar way that you set up and connect to a remote branch office. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).
You can connect Azure VPN Gateway to all three types of Azure Virtual Network gateways: PolicyBased, RouteBased, and VpnClient. This article discusses the different types of connections in more detail and provides information about SKUs for each type of gateway.
PolicyBased
A PolicyBased gateway connection uses IPsec with IKEv1. All traffic is processed by the security policies that are defined as part of the connection. You can use this type of gateway if you need fine-grained control over traffic filtering and do not need support for BGP routing. PolicyBased gateways are supported only for the Basic pricing tier.
RouteBased
A RouteBased gateway connection uses IPsec with IKEv2 to provide secure, encrypted connectivity between an Azure virtual network gateway and an on-premises network or another virtual network. Traffic is processed by security policies and route tables, so you get fine-grained control over traffic filtering and high performance routing options that can scale as your deployment grows. RouteBased gateways are supported for the Basic, Standard, and HighPerformance pricing tiers.
VpnClient
A VpnClient gateway connection uses SSL/TLS with SSTP tunneling to provide secure, encrypted connectivity between an Azure virtual network gateway and an individual computer or device that has the VpnClient installed locally. This type of connection requires a certificate to authenticate the identity of the computer or device before it can connect. VpnClient connections are not supported when using ExpressRoute or site-to-site connections through a firewall device that performs Network Address Translation (NAT).
Azure VPN Gateway pricing
Azure VPN Gateway pricing is based on the number of VPN tunnels you need and the throughput you require. The price is also influenced by the type of VPN gateway you choose. There are three main types of Azure VPN gateways: Basic, Standard, and High Performance.
The Basic gateway is the least expensive but also has the lowest performance. It can support up to 500 Mbps of throughput and 30,000 simultaneous connections. The Standard gateway is more expensive but can support up to 1 Gbps of throughput and 60,000 simultaneous connections. The High Performance gateway is the most expensive but can support up to 2 Gbps of throughput and 120,000 simultaneous connections.
The type of VPN gateway you need will depend on your specific needs and workloads. If you have a small workload with low throughput requirements, the Basic gateway may be all you need. If you have a large workload with high throughput requirements, you will need a High Performance gateway.
Supported VPN types
Azure supports different types of VPNs. Selecting the right type of VPN is dependent on a number of factors. These include the type of Azure deployment, the needs of the virtual network, and the location of the users. The most common type of VPN supported by Azure is the site-to-site VPN.
Policy-based VPNs
Within Azure, two types of virtual private networks (VPNs) are supported:
-Policy-based VPNs
-Route-based VPNs
A policy-based VPN defines traffic flows based on application security policies. For example, you can allow or deny traffic to an application based on whether the application conforms to your corporate security policy. A route-based VPN defines traffic flows based on route tables. All traffic that matches a particular route is sent through the VPN. For example, you can configure a route-based VPN so that all traffic destined for your corporate network is sent through the VPN.
Policy-based VPNs are best suited for environments in which all of the devices that connect to the network use the same security policies. Route-based VPNs are more flexible and can be used in environments in which security policies differ from one device to another.
Route-based VPNs
Route-based VPNs are also known as dynamic VPNs. Route-based VPNs uses a policy-based approach where packets are filtered according to the policies and routes defined in the configuration. A route based VPN is created on top of a virtual private gateway and uses routing instead of policy based filtering for traffic between VNets. The virtual private gateway has a single tunnel endpoint (tunnel mode), which can be Azure’s public IP address, an Azure Express Route circuit or another VNet’s virtual private gateway. The VPN gateway will connect to the tunnel endpoint specified during creation. By default, all traffic is sent over the VPN tunnel except traffic destined for the VNet address space of the local network (on-premises or peer). If needed, you can add additional routes in your configuration that will also send traffic over the VPN tunnel (forced tunneling).
The following diagram shows how a route-based VPN works with two VNets connected by Azure’s public IP address:
Each subnet in each VNet must be associated with the route-based VPN gateway. When you create a route-based VPN gateway, it creates two subnets in your Azure VNet – GatewaySubnet andclusterSubnet. The clusterSubnet is used by the different components of Azure to manage communication with your gateway. The GatewaySubnet contains your actual VPN endpoint devices.
Point-to-Site VPNs
Point-to-Site (P2S) VPNs are used to connect individual clients, usually a single computer. P2S connections are typically used by remote workers who need to connect to their on-premises organization’s network and applications. P2S connections can also be used by on-premises network administrators to troubleshoot VPN problems when they need direct, secure access to individual Azure VMs.
P2S is a Point-to-Site connection where a single client (computer) can connect to an Azure virtual network. A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. P2S connections are established over either SSTP or IKEv2, and can be configured using a certificate or RADIUS authentication.
